Enforcing systrace on binaries

13 views
Skip to first unread message

Joachim Blaabjerg

unread,
Mar 19, 2003, 2:02:29 PM3/19/03
to te...@openbsd.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've just written a little C wrapper to enforce systrace on all my
setuid/setgid files. The general idea is that all setuid/setgid files are
moved to /usr/libexec/suid/ (subject to change) which is root:suid (I added
a new group for the purpose) with permissions 0750. The wrapper is called
swrapper for now, and resides in /bin, owned by root:suid and with 2755
permissions. All setuid/setgid files are replaced by symlinks to the
swrapper binary, thusly:

styx@zaphod styx $ ls -l /sbin/ping
lrwxr-xr-x 1 root wheel 15 Mar 19 17:07 /sbin/ping -> ../bin/swrapper
styx@zaphod styx $ ls -l /bin/swrapper
- -rwxr-sr-x 1 root suid 7376 Mar 19 17:47 /bin/swrapper

Upon being called, swrapper checks argv[0] to see what program it should
invoke, checks if the program exists in /usr/libexec/suid/, proceeds to
check if there's a policy for the program in /etc/systrace/, and finally
execve's the program as an argument to `systrace -a` (with arguments and
environment intact, of course).

The whole scheme is fully transparent for users, although it may have a
little overhead. Here's what it looks like for a regular user (beware of
wrapping):

styx@zaphod styx $ ls -l `which ping`
lrwxr-xr-x 1 root wheel 15 Mar 19 17:07 /sbin/ping -> ../bin/swrapper
styx@zaphod styx $ ping suxos.org > /dev/null &
[1] 26572
styx@zaphod styx $ ps axu | grep ping
styx 26572 3.2 0.0 800 384 p1 Sx 7:56PM 0:00.16
/usr/libexec/suid/ping suxos.org
styx 23923 0.0 0.0 896 512 ?? Ss 7:56PM 0:00.02
/bin/systrace -a /usr/libexec/suid/ping suxos.org
styx@zaphod styx $

What are your thoughts on this? I don't find it particularly elegant myself,
but it works the purpose and helps me sleep better at night. I'll gladly
publish the (trivial) code online if there's any interest.

Best Regards,

- --
Joachim Blaabjerg
Gentoo Linux Security Developer
GPG key @ http://cvs.gentoo.org/~styx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+eL3yFJKdDpq6hFsRAkzlAJ9RCSZluhhqfFcG4wnhE/COu12QDgCgimlB
z4yhvlns6NUYz77MnUMaRNM=
=7JHE
-----END PGP SIGNATURE-----

Joachim Blaabjerg

unread,
Mar 20, 2003, 9:09:30 AM3/20/03
to Jason Morefield, te...@openbsd.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 19 March 2003 21:29, you wrote:
> I would be interested in it even if noone else is. Thank you in advance.

Thanks, I was starting to lose faith here ;)

I've put the code up at http://cvs.gentoo.org/~styx/swrapper.c , and it
might need a good audit/lookover, as it was a ten minute hack. The
instructions are at the top of the file. As for systrace policies, I'm
working on policies for all (most, anyway) suid/sgid files on my system
this week, and if anyone's interested, I'll gladly share them as well.
Other than that, take a look at http://blafasel.org/~floh/he/ for policies,
and feel free to comment on the swrapper concept/code :)

Best Regards,

- --
Joachim Blaabjerg
Gentoo Linux Security Developer
GPG key @ http://cvs.gentoo.org/~styx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+ecsFFJKdDpq6hFsRAllYAJ4qe5Vjy69g8MKRQ7xsxhTtBmdHnACeLyP/
PuVKv0l8YDrGGl5q9HGL1uI=
=CH3c
-----END PGP SIGNATURE-----

Dug Song

unread,
Mar 20, 2003, 1:05:32 PM3/20/03
to te...@openbsd.org, Niels Provos
On Thu, Mar 20, 2003 at 03:07:01PM +0100, Joachim Blaabjerg wrote:

> I've put the code up at http://cvs.gentoo.org/~styx/swrapper.c , and
> it might need a good audit/lookover, as it was a ten minute hack.

while we're sharing, here's a quick systrace-related code / brain dump
from stuff we run on monkey (which runs with no setuid/gid binaries,
all fs's mounted nosuid, and all privileged daemons systraced).

client/server ch{fn,pass,sh}/passwd:

http://monkey.org/~dugsong/openbsd/xpw-1.0.tar.gz

client/server openpty():

http://monkey.org/~dugsong/openbsd/xptyd-1.1.tar.gz

systrace shell wrapper:

http://monkey.org/~dugsong/openbsd/stsh-1.0.tar.gz

all our user accounts are systraced from the login shell. our policy
is fairly restrictive, but our users don't do anything but e-mail,
WWW, IRC, SILC, and USENET anyway. here's the privsep policy we use
with systrace -aiU /usr/sbin/sshd (no support for port/agent
forwarding, remote root logins, etc.):

http://monkey.org/~dugsong/openbsd/usr_sbin_sshd

i use this stuff to systrace everything on my laptop as well. my
window manager's default xterm is systraced (which works when you
don't need any setuid bits on it, thanks to xptyd), and i start all
other X apps from xterms anyhow.

i also have "red" non-systraced xterms to build third-party software
under an inherited jail policy. e.g. after untarring from a regular
systraced xterm, i run in a red xterm:

systrace -g notification -i -d $HOME/configure sh configure
systrace -g notification -i -d $HOME/configure gmake

with the following limited policy:

http://monkey.org/~dugsong/openbsd/configure.tar.gz

which is how i generated the following screenshot :-)

http://www.citi.umich.edu/u/provos/systrace/screenshot-trojan.png

of course, i only run the resulting programs from a systraced xterm,
so i can generate a covering policy interactively. policy generation
is actually very convenient this way, using Niels' GTK notification
GUI client (the X11 one is somewhat painful).

i also have an inherited policy for dhclient, but i think you get the
picture already. it's also specific to my wonky mobile networking
setup - most policies, i find, tend to be non-portable this way.

there are some basic systrace "recipes" which might be useful sharing,
though - and if not the policies themselves, the basic approach
(e.g. how to set up an inherited policy for httpd allowing user CGI /
PHP / database access, or for procmail, or a secure CVS server, or an
SSH/IPsec gateway, etc.).

i realize we've been remiss in sharing some of this systrace work with
other folks, but we've been way too busy with other things, and
somewhat daunted by the idea of supporting a security system which
requires some intimate knowledge of what programs (and their exploits)
do at the syscall level. there have also been some useful features in
the canonical systrace that haven't been well-documented / integrated
into OpenBSD, like the "ask" action (similar to ssh-add -c).

perhaps it's time to set up a systrace.org mailing list?

-d.

---
http://www.monkey.org/~dugsong/

Ray

unread,
Mar 27, 2003, 8:40:35 PM3/27/03
to Dug Song, te...@openbsd.org, Niels Provos
On Thu, Mar 20, 2003 at 01:01:56PM -0500, Dug Song wrote:
> while we're sharing, here's a quick systrace-related code / brain dump
> from stuff we run on monkey (which runs with no setuid/gid binaries,
> all fs's mounted nosuid, and all privileged daemons systraced).

Are there any reasons why one would not want to follow in monkey.org's
footsteps and eliminate all set[ug]id bits? I ask this because I
believe that OpenBSD still includes certain stuff with set[ug]id bits.

-Ray-

Ted Unangst

unread,
Apr 3, 2003, 7:21:13 PM4/3/03
to Ray, te...@openbsd.org

i'm a little slow on responding to this. how are you going to make ping
work? i'm curious how monkey.org made it work.

--
"I am clearly more popular than Reagan. I am in my third term.
Where's Reagan? Gone after two! Defeated by George Bush and
Michael Dukakis no less."
- M. Barry, Mayor of Washington, DC

m...@rl206.org

unread,
Apr 3, 2003, 9:42:30 PM4/3/03
to Ted Unangst, te...@openbsd.org
> i'm a little slow on responding to this. how are you going to make ping
> work? i'm curious how monkey.org made it work.
>

They gotta be using PRIVILEGE ELEVATION as referenced in systrace
manpage.

CIAO!

Reply all
Reply to author
Forward
0 new messages